From ac2a56ef4646129a647167ceb5335096779abb43 Mon Sep 17 00:00:00 2001 From: zblurx Date: Thu, 29 Feb 2024 16:36:53 +0100 Subject: [PATCH 1/3] fix ldap-checker module --- nxc/modules/ldap-checker.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/nxc/modules/ldap-checker.py b/nxc/modules/ldap-checker.py index 075132a4..c6cb5702 100644 --- a/nxc/modules/ldap-checker.py +++ b/nxc/modules/ldap-checker.py @@ -39,10 +39,15 @@ class NXCModule: async def run_ldaps_noEPA(target, credential): ldapsClientConn = MSLDAPClientConnection(target, credential) _, err = await ldapsClientConn.connect() + + # Required step to try to bind without channel binding + ldapsClientConn.cb_data = None + if err is not None: context.log.fail("ERROR while connecting to " + str(connection.domain) + ": " + str(err)) sys.exit() - _, err = await ldapsClientConn.bind() + + valid, err = await ldapsClientConn.bind() if "data 80090346" in str(err): return True # channel binding IS enforced elif "data 52e" in str(err): @@ -116,9 +121,13 @@ class NXCModule: async def run_ldap(target, credential): ldapsClientConn = MSLDAPClientConnection(target, credential) _, err = await ldapsClientConn.connect() + + # Intentionnaly breaking the security context + ldapsClientConn.cb_data = None + if err is None: _, err = await ldapsClientConn.bind() - if "stronger" in str(err): + if "AcceptSecurityContext" in str(err): return True # because LDAP server signing requirements ARE enforced elif ("data 52e") in str(err): context.log.fail("Not connected... exiting") @@ -148,9 +157,8 @@ class NXCModule: stype=stype, ) - target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) + target = MSLDAPTarget(connection.host, 636,UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) ldapIsProtected = asyncio.run(run_ldap(target, credential)) - if ldapIsProtected is False: context.log.highlight("LDAP Signing NOT Enforced!") elif ldapIsProtected is True: @@ -162,7 +170,7 @@ class NXCModule: if DoesLdapsCompleteHandshake(connection.host) is True: target = MSLDAPTarget(connection.host, 636, UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) ldapsChannelBindingAlwaysCheck = asyncio.run(run_ldaps_noEPA(target, credential)) - target = MSLDAPTarget(connection.host, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) + target = MSLDAPTarget(connection.host, 636, UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) ldapsChannelBindingWhenSupportedCheck = asyncio.run(run_ldaps_withEPA(target, credential)) if ldapsChannelBindingAlwaysCheck is False and ldapsChannelBindingWhenSupportedCheck is True: context.log.highlight('LDAPS Channel Binding is set to "When Supported"') From addc0600773c2d7fdf5d2cacfe9d44bc719018a9 Mon Sep 17 00:00:00 2001 From: zblurx Date: Thu, 21 Mar 2024 17:04:49 +0100 Subject: [PATCH 2/3] fix ldap signing check --- nxc/modules/ldap-checker.py | 41 +++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/nxc/modules/ldap-checker.py b/nxc/modules/ldap-checker.py index c6cb5702..21fc8940 100644 --- a/nxc/modules/ldap-checker.py +++ b/nxc/modules/ldap-checker.py @@ -9,7 +9,7 @@ from asyauth.common.constants import asyauthSecret from asyauth.common.credentials.ntlm import NTLMCredential from asyauth.common.credentials.kerberos import KerberosCredential -from asysocks.unicomm.common.target import UniTarget, UniProto +from asysocks.unicomm.common.target import UniTarget, UniProto, UniSSL import sys @@ -119,23 +119,28 @@ class NXCModule: # requirements are enforced based on potential errors # during the bind attempt. async def run_ldap(target, credential): - ldapsClientConn = MSLDAPClientConnection(target, credential) - _, err = await ldapsClientConn.connect() - - # Intentionnaly breaking the security context - ldapsClientConn.cb_data = None - - if err is None: - _, err = await ldapsClientConn.bind() - if "AcceptSecurityContext" in str(err): - return True # because LDAP server signing requirements ARE enforced - elif ("data 52e") in str(err): - context.log.fail("Not connected... exiting") - sys.exit() - elif err is None: + try: + ldapsClientConn = MSLDAPClientConnection(target, credential) + ldapsClientConn._disable_signing = True + _, err = await ldapsClientConn.connect() + if err is not None: + context.log.fail(str(err)) return False - else: - context.log.fail(str(err)) + + _, err = await ldapsClientConn.bind() + if err is not None: + errstr = str(err).lower() + if "stronger" in errstr: + return True #because LDAP server signing requirements ARE enforced + else: + context.log.fail(str(err)) + else: + #LDAPS bind successful + return False #because LDAP server signing requirements are not enforced + except Exception as e: + context.log.debug(str(e)) + return False + # Run trough all our code blocks to determine LDAP signing and channel binding settings. stype = asyauthSecret.PASS if not connection.nthash else asyauthSecret.NT @@ -157,7 +162,7 @@ class NXCModule: stype=stype, ) - target = MSLDAPTarget(connection.host, 636,UniProto.CLIENT_SSL_TCP, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) + target = MSLDAPTarget(connection.host, 389, hostname=connection.hostname, domain=connection.domain, dc_ip=connection.domain) ldapIsProtected = asyncio.run(run_ldap(target, credential)) if ldapIsProtected is False: context.log.highlight("LDAP Signing NOT Enforced!") From e8fe42cb4a6d4290851830c1acd4a9c90f422961 Mon Sep 17 00:00:00 2001 From: zblurx Date: Thu, 21 Mar 2024 17:09:22 +0100 Subject: [PATCH 3/3] fix ruff warning --- nxc/modules/ldap-checker.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nxc/modules/ldap-checker.py b/nxc/modules/ldap-checker.py index 21fc8940..d0bb3bb6 100644 --- a/nxc/modules/ldap-checker.py +++ b/nxc/modules/ldap-checker.py @@ -9,7 +9,7 @@ from asyauth.common.constants import asyauthSecret from asyauth.common.credentials.ntlm import NTLMCredential from asyauth.common.credentials.kerberos import KerberosCredential -from asysocks.unicomm.common.target import UniTarget, UniProto, UniSSL +from asysocks.unicomm.common.target import UniTarget, UniProto import sys @@ -131,12 +131,14 @@ class NXCModule: if err is not None: errstr = str(err).lower() if "stronger" in errstr: - return True #because LDAP server signing requirements ARE enforced + return True + # because LDAP server signing requirements ARE enforced else: context.log.fail(str(err)) else: - #LDAPS bind successful - return False #because LDAP server signing requirements are not enforced + # LDAPS bind successful + return False + # because LDAP server signing requirements are not enforced except Exception as e: context.log.debug(str(e)) return False